Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

LastPass Network Breached; Calls for Master Password Reset

Cloud-based password manager LastPass said its network has been breached and attackers stole personal information as well as salts and hashes.

Password manager LastPass disclosed today that its network was breached and advised users to change their master passwords and enable multifactor authentication.

CEO and founder Joe Siegrist said in a security notice that LastPass on Friday discovered suspicious activity on its network; encrypted user vault data was not taken, Siegrist said, nor were user accounts accessed. The attackers, however, did compromise LastPass account email addresses, password reminders, per-user salts, and authentication hashes.

“We are confident that our encryption measures are sufficient to protect the vast majority of users,” Siegrist said.

Salt, or random data, is added to passwords which are then hashed cryptographically. The use of salt is supposed to make it exponentially more difficult to launch dictionary-based brute-force attacks, for example.

“LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side,” Siegrist said. “This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”

Despite the attackers having accessed the salts and hashes, Paul Moore, a UK-based researcher, downplayed the risks.

“Salts aren’t meant to be secrets, and if [the] hashes are as strong as they say, there’s virtually no risk with strong passwords,” he told Threatpost.

Tod Beardsley, security engineering manager at Rapid7, pointed out that since the attackers don’t seem to have access to the passwords encrypted with the master, the stolen account email addresses may pose a more immediate risk.

“The fact that the attackers are now armed with a list of LastPass users by e-mail means that we may see some targeted phishing campaigns, presenting users with fake ‘Update your LastPass master password’ links,” Beardsley said. “So, while further direct communication from LastPass to their users about this breach should be welcome, it should be treated with suspicion if there are any embedded links and calls to action.”

LastPass is indeed in the process of notifying customers by email of the breach. Users on a new device or IP address will be required to verify accounts via email, unless multifactor authentication is enabled.

LastPass, like some other password managers, is a browser-based tool that encrypts and decrypts data on the device before communicating with LastPass servers. Once the tool is downloaded, a user creates an account with their email address and a master password. As the user accesses online services, they are able to save log-in information, generate passwords and save profiles in the tool, including payment card information. LastPass offers free, as well as premium and enterprise versions of its product.

Password managers are juicy targets for hackers since they present a single point of access to numerous online accounts. Last summer, LastPass avoided trouble when it patched two security vulnerabilities that could have allowed attackers to target particular users and generate one-time passwords. During that week, a paper from the University of California Berkeley exposed critical vulnerabilities in not only LastPass, but also RoboForm, My1Login, PasswordBox and NeedMyPassword.

Discussion

This is why I never put my passwords online, but stay offline. I use Sticky Password and they offer an offline approach for password management. Not sure about others, but I think Keepass allows that as well.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.